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Abstract 

We  present  a  new  protocol  to  perform  non-interactive  verifiable  secret  redistribution  (VSR)  for  secrets 
distributed  with  Shamir's  secret  sharing  scheme.  We  base  our  VSR  protocol  on  Desmedt  and  Jajodia’s  re¬ 
distribution  protocol  for  linear  secret  sharing  schemes,  which  we  specialize  for  Shamir’s  scheme.  We  extend 
their  redistribution  protocol  with  Feldman’s  non-interactive  verifiable  secret  sharing  scheme  to  ensure  that 
a  SUBSHARES-VALID  condition  is  true  after  redistribution.  We  show  that  the  SUBSHARES-VALID  condi¬ 
tion  is  necessary  but  not  sufficient  to  guarantee  that  the  new  shareholders  have  valid  shares,  and  present  an 
additional  SHARES-VALID  condition. 
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1  Introduction 


Suppose  we  have  a  system  that  distributes  shares  of  a  secret  to  a  set  of  n  servers  such  that  the  system  can 
reconstruct  the  secret,  or  performs  distributed  computations,  with  m  of  the  n  shares.  An  example  of  such 
systems  is  a  multiparty  signature  system  [110,  1 1 , 0,  15,  GD0  in  which  a  dealer  distributes  shares  of  a  key  to 
a  set  of  signature  servers.  The  servers  can  then  collaborate  to  create  digital  signatures,  but  none  will  have 
knowledge  of  the  key.  Other  examples  of  such  systems  include  survivable  storage  systems  [El,  E3[  in  which 
a  client  stores  data  objects  on  remote  storage  servers.  The  client  can  retrieve  its  objects  even  if  up  to  (n  —  m) 
servers  fail,  and  adversaries  that  subvert  less  than  m  servers  gain  no  knowledge  about  the  objects. 

If  a  server  fails  or  is  subverted  by  an  adversary,  we  may  wish  to  redistribute  the  remaining  shares  to 
a  new  set  of  n'  servers.  The  dealer  may  be  unavailable  for  redistribution  of  the  shares,  since  it  may  have 
gone  off-line  since  distribution.  The  servers  may  be  available,  but  they  are  not  trusted  with  secret.  Thus,  we 
require  a  protocol  for  redistribution  without  reconstruction  of  the  secret.  We  also  require  verification  that 
the  new  shareholders  have  valid  shares  (ones  that  can  be  used  to  reconstruct  the  secret). 

We  present  a  new  protocol  to  perform  non-interactive  verifiable  secret  redistribution  (VSR)  for  secrets 
distributed  with  Shamir’s  secret  sharing  scheme  [12'iiJ.  Suppose  we  have  distributed  shares  of  a  secret  to 
shareholders  in  Shamir’s  (m,  n)  threshold  scheme  (one  in  which  we  require  m  of  n  shares  to  reconstruct 
the  secret),  and  wish  to  redistribute  the  secret  to  shareholders  in  a  new  (m',  n')  scheme.  Furthermore, 
suppose  we  wish  to  avoid  reconstruction  of  the  secret.  Our  VSR  protocol  enables  the  redistribution  of  the 
secret  from  the  old  to  new  shareholders  without  reconstruction  of  the  secret  by  any  of  the  shareholders,  and 
guarantees  that  the  new  shareholders  have  valid  shares.  Our  protocol  guards  against  faulty  behavior  by  up 
to  n  —  m  of  the  old  shareholders  provided  that  m>  f.  Figure  [I]  shows  the  application  of  our  VSR  protocol. 

We  base  our  VSR  protocol  on  Desmedt  and  Jajodia’s  redistribution  protocol  for  linear  secret  sharing 
schemes  03],  which  we  specialize  for  Shamir's  scheme.  In  their  protocol,  m  of  n  old  shareholders  each 
distribute  n!  subshares  of  their  shares  of  a  secret,  and  n'  new  shareholders  combine  m  subshares  (one  from 
each  old  shareholder)  to  generate  new  shares,  m!  new  shares  are  required  to  reconstruct  the  secret.  Unlike 
our  protocol,  their  protocol  assumes  non-faulty  old  shareholders.  Thus,  faulty  old  shareholders,  without  risk 
of  detection,  may  cause  new  shareholders  to  generate  invalid  shares  by  distributing  invalid  subshares. 

We  extend  Desmedt  and  Jajodia's  redistribution  protocol  with  Feldman's  non-interactive  verifiable  se¬ 
cret  sharing  (VSS)  scheme  [ET|  to  ensure  that  a  SUBSHARES-VALID  condition  is  true  after  redistribution. 
With  Feldman’s  scheme,  each  old  shareholder  broadcasts  a  zero-knowledge  proof  of  the  validity  of  the  sub¬ 
shares  to  the  new  shareholders.  The  new  shareholders  verify  the  proof  without  further  interaction  with  the 


VSS  VSR 

Figure  1:  Initial  distribution  of  a  secret  k  with  Shamir’s  (to,  n)  threshold  secret  sharing  scheme  [!22lj,  followed  by 
redistribution  to  an  (to',  n')  scheme.  Verifiable  secret  sharing  (VSS)  schemes  can  be  used  to  guarantee  that  the  shares 
Si ...  sn  are  valid.  Our  new  verifiable  secret  redistribution  (VSR)  protocol  can  be  used  to  guarantee  that  the  shares 
sj  . . .  s'n,  are  valid. 
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old  shareholders.  Feldman  assumes  there  exist  homomorphic  encryption  functions  that  are  hard  to  invert,  al¬ 
lowing  the  old  shareholder  to  broadcast  encryptions  of  their  share  and  the  subshare  generation  function  with¬ 
out  revealing  them.  Feldman  also  assumes  there  exist  reliable  broadcast  communication  channels  among  all 
participants  and  private  channels  between  every  pair  of  participants. 

We  show  that  the  SUBSHARES-VALID  condition  is  necessary  but  not  sufficient  to  guarantee  that  new 
shareholders  have  valid  shares,  and  present  an  additional  SHARES-VALID  condition.  The  old  shareholders 
broadcast  a  zero-knowledge  proof  of  the  validity  of  their  shares  of  the  secret  to  the  new  shareholders.  As 
before,  the  new  shareholders  verify  the  proof  without  further  interaction  with  the  old  shareholders.  The 
check  of  the  SHARES-VALID  condition  also  assumes  there  exist  homomorphic  encryption  functions  that  are 
hard  to  invert,  allowing  old  shareholders  to  prove  the  validity  of  their  shares  to  new  shareholders  without 
revealing  them.  We  prove  that  the  SUBSHARES-VALID  and  SHARES-VALID  conditions  are  necessary  and 
sufficient  to  guarantee  that  the  new  shareholders  generate  valid  shares  of  the  original  secret. 

2  Related  work 

Blakley  and  Shamir  invented  secret  sharing  schemes  independently.  In  Blakley’s  scheme  [QQ,  the  intersection 
of  m  of  n  vector  spaces  yields  a  one-dimensional  vector  that  corresponds  to  the  secret.  Desmedt  presents  a 
survey  of  other  sharing  schemes  [ED- 

Feldman’s  VSS  scheme  D2D  is  one  of  several  to  catch  a  dealer  that  attempts  to  distribute  invalid  shares. 
Chor  et  al  present  a  scheme  in  which  the  dealer  and  shareholders  perform  an  interactive  secure  distributed 
computation  [Efl.  Benaloh  OH],  Gennaro  and  Micali  [II 'll] .  Goldreich  et  al  [1141].  and  Rabin  and  Ben-Or 
02H  033]  subsequently  propose  schemes  in  which  the  dealer  and  shareholders  participate  in  an  interac¬ 
tive  zero-knowledge  proof  of  validity;  the  schemes  of  Gennaro  and  Micali,  and  Rabin  and  Ben-Or,  are 
information-theoretically  secure.  Pederson  [II  Kl j  presents  a  scheme,  like  Feldman’s,  in  which  the  dealer 
broadcasts  a  non-interactive  zero-knowledge  proof  of  validity  to  the  shareholders.  Our  VSR  procotol  differs 
from  previous  VSS  schemes  in  that  the  multiple  “dealers”  of  the  new  shares  (the  old  shareholders)  do  not 
have  the  original  secret,  and  must  use  other  information  to  generate  a  proof  for  the  new  shareholders.  Also, 
unlike  in  VSS  schemes,  each  new  shareholder  must  perform  two  checks:  one  to  verify  the  validity  of  the 
subshares  distributed  by  the  old  shareholders,  and  another  to  verify  the  validity  of  the  shares  generated  by 
the  new  shareholders. 

Desmedt  and  Jajodia  present  the  first  protocol  to  alter  the  access  structure  of  a  secret  sharing  scheme  by 
physical  redistribution  of  shares  between  the  old  and  new  shareholders  OS].  Cachin  proposes  a  secret  sharing 
scheme  that  enrolls  (adds)  shareholders  in  the  access  structure  after  the  initial  sharing  [ED-  Blakley  et  al 
consider  threshold  schemes  that  disenroll  (remove)  shareholders  from  the  access  structure  with  broadcast 
messages  [BT|.  For  these  schemes,  the  set  of  new  shareholders  is  not  disjoint  from  the  old;  rather,  it  is  either 
a  superset  (for  Cachin)  or  a  subset  (for  Blakley  et  al).  Blundo  et  al  presents  a  scheme  in  which  the  dealer 
uses  broadcast  messages  to  activate  different,  possibly  disjoint,  authorized  subsets  [M].  Blundo’s  scheme 
requires  shareholders  to  have  a  share  regardless  of  whether  or  not  they  are  in  the  active  authorized  subset, 
in  contrast  to  Desmedt  and  Jajodia’s  scheme.  Our  VSR  protocol,  like  Desmedt  and  Jajodia’s  protocol,  alters 
the  access  structure  of  a  scheme  by  physical  redistribution  of  shares,  and  additionally  provides  a  proof  to 
the  new  shareholders  that  they  have  valid  shares. 

Ostrovsky  and  Yung  define  mobile  adversaries  that  subvert  storage  servers  at  a  constant  rate,  and  pro¬ 
pose  a  general  proactive  secret  sharing  (PSS)  protocol  for  the  periodic  redistribution  of  shares  to  coun¬ 
teract  them  [1171].  Their-  protocol  redistributes  shares  to  the  same  access  strucutre.  Herzberg  et  al  specialize 
the  proactive  approach  to  Shamir’s  scheme  DIB],  and  other  researchers  use  this  work  to  develop  robust  and 
secure  multiparty  signature  schemes  pTO.  13 ,  ECS,  OB,  ED].  Zhou,  Schneider,  and  van  Renesse  propose  a  PSS 
protocol  for  asynchronous,  wide-area  networks,  and  employ  it  in  an  on-line  certification  authority  [BSlj .  Our 
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VSR  procotol,  unlike  PSS  protocols,  can  redistribute  shares  to  arbitrary  access  structures.  However,  we 
assume  there  exist  reliable  broadcast  communication  channels  among  all  participants  and  private  channels 
between  every  pair  of  participants  in  our  protocol,  which  Zhou  et  al  avoid  in  their  asynchronous  protocol. 

3  The  building  blocks  for  the  VSR  protocol 

In  this  section,  we  outline  the  cryptographic  protocols  that  form  the  building  blocks  for  our  VSR  protocol. 
We  begin  with  a  summary  of  Desmedt  and  Jajodia’s  secret  redistribution  protocol  [BO  for  linear  secret  sharing 
schemes,  and  we  show  how  to  specialize  its  operation  to  Shamir’s  secret  sharing  scheme  |E2],  We  follow 
with  a  recap  of  Feldman’s  VSS  scheme  03],  and  present  an  application  by  Herzberg  et  al  [II  hi]  of  Feldman’s 
scheme  to  Shamir's  scheme. 

3.1  Mathematical  notation 

A  linear  secret  sharing  scheme  [EO  is  an  algorithm  for  the  distribution  of  shares  of  a  secret  to  a  group  of 
shareholders  such  that  the  secret  is  a  linear  combination  of  a  subset  of  the  shares.  We  define  a  secret  k  to  be 
in  set  /C  of  secrets,  and  each  shareholder  i  to  be  in  the  set  V  of  shareholders.  To  distribute  k,  we  generate  a 
share  s,  for  each  i  in  V,  where  s*  is  in  the  set  <S;  of  shares,  and  S,  is  in  the  set  S  of  share  sets.  To  reconstruct 
the  secret,  we  combine  .sy  from  all  i  in  an  authorized  subset  B  of  Th 


k  =  ^2^i(si)  (1) 

ieB 

ipi  is  a  homomorphism  from  S,  to  /C;  we  aggregate  Ai  into  the  set  A  of  homomorphisms.  The  authorized 
subsets  are  in  the  access  structure  Fp.  We  represent  a  linear  sharing  scheme  as  a  tuple  {T-p,  /C,  S,  ip}. 


3.2  Shamir’s  secret  sharing  scheme 

Shamir  presents  an  ( m,n )  threshold  secret  sharing  scheme  based  on  polynomial  interpolation  [221].  The 
secret  k  is  in  Zp  (p  prime;  p  >  n),  and  each  shareholder  i  is  in  the  set  V  (\'P\  =  n).  All  mathematical 
operations  are  in  the  finite  field  Zp.  To  distribute  k,  we  select  a  polynomial  a(x)  with  degree  rn  —  1  and 
constant  term  k,  and  generate  a  share  Si  for  each  i  in  V  with  a(x): 


Si  =  k  +  a\i  +  . . .  1  (2) 

where  .sy  is  also  in  Zp.  To  reconstruct  k,  we  retrieve  m  coordinate  pairs  (i.  .sy)  of  all  %  in  8  (\B\  =  m; 
B  €  T-p),  and  use  the  pairs  in  the  Lagrange  interpolation  formula: 


k  =  biSi  where 


n 


3 

U  ~  i) 


(3) 


We  represent  Shamir’s  scheme  with  the  tuple  {T-p,  Zp,  {Zp},  V-p},  where  ipi(si)  =  biSi  and  Fy  E  Ap. 


3.3  Desmedt  and  Jajodia’s  share  redistribution  protocol 

Desmedt  and  Jajodia  present  a  protocol  for  the  redistribution  of  secrets  distributed  by  linear  sharing  schemes 
without  reconstruction  of  the  original  secret  [H].  Suppose  we  have  distributed  shares  st  of  a  secret  k 
to  shareholders  i  using  the  scheme  (Tp.  /C.  A,  A),  and  wish  to  redistribute  it  using  a  different  scheme 
(Tp,,  /C,  S',  ip').  We  achieve  this  by  selecting  an  authorized  subset  B  in  Tp  and  using  an  intermediate 
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1.  There  exists  a  linear  sharing  scheme  [Yp,JC,  S ,  ip),  and  each  i  £  V  has  received  a  share  s,  S,  £  S 
of  k  e  1C. 

2.  For  each  i  £  V  there  exists  an  intermediate  linear  scheme  [Y'v,  ,Si,Si,ipi)  for  distributing  shares  Si 
into  subshares  §ij  to  each  j  £  V' . 

3.  Addition  of  elements  in  1C  is  commutative. 

4.  For  each  i  £  B  £  Tp  and  j  £  B'  £  Y'v,,  there  exist  homomorphisms  ipi,  ipij,  t/>',  and  ipC  such  that: 


4>i 


>) 


Figure  2:  Conditions  required  for  the  redistribution  of  shares  from  linear  sharing  schemes  [H]. 


Non-verifiable  Secret  Redistribution  protocol: 

To  redistribute  shares  .s,;  of  a  secret  k  distributed  using  the  linear  sharing  scheme  (T-p,JC,  S ,  ip)  into  shares  s' 
distributed  using  the  linear  sharing  scheme  (T'V,,IC,S'  1ip'): 


1 .  Select  an  authorized  subset  B  in  Y-p .  Use  the  intermediate  linear  scheme  (Y'v, ,  Si ,  SL ,ipi)  to  distribute 
subshares  s.(J  of  each  share  s,  of  i  in  B  to  each  j  in  V' . 

2.  For  each  j  £  V' ,  compute  a  new  share  s'  by  treating  the  subshares  as  those  distributed  by  another 
intermediate  scheme  (Fp,  5'.  5',  ip'-),  and  using  a  variant  of  Equation  (|I|): 


s'j 

ieB 


Figure  3:  Redistribution  protocol  for  linear  sharing  schemes  [H]. 
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scheme  (T'p, ,  St ,  5, .  A,)  to  distribute  subshares  of  each  «,  of  i  in  8  to  each  shareholder  j  in  V1,  where 
the  set  Sj  of  sets  of  subshares  is: 


•Si  =  {iij  :  j  €  B\  B'  €  r^,|  (4) 

and  the  set  S,,  of  homomorphisms  from  S,  to  S,  is: 

=  eTtp,}  (5) 

If  we  treat  Sij  as  being  distributed  by  another  intermediate  scheme  (Tp.  5' ,  5' ,  ?//■)  (with  Sj  and  ipj  defined 
as  Si  and  ipi  in  Equations  (jdj)  and  we  can  generate  a  share  s'  for  each  j.  For  schemes  that  satisfy  the 
conditions  in  Figure  we  can  can  use  the  protocol  in  Figure  0  to  redistribute  shares. 

To  redistribute  secrets  from  Shamir's  (m,  n)  threshold  secret  sharing  scheme  |E2]  to  an  (m',  n')  scheme 
using  Desmedt  and  Jajodia’s  protocol,  we  first  need  to  show  that  the  conditions  in  Figure  @  hold.  Desmedt 
and  Jajodia  present  a  sketch  of  the  specialization  of  their  protocol  to  Shamir’s  scheme,  but  no  details.  We 
represent  the  (m,  n)  and  (m',  n')  schemes  as  (Tp,  Zp,  {Zp},  ip-p)  and  (Tp/,  Zp,  {Zp},  tp-p/)  respectively. 

1.  Reconstruction  of  the  original  secret  from  the  shares  s,  in  Equation  (@)  is  a  linear  recombination  in 
the  form  of  Equation  ((TJ),  and  so  the  scheme  (Fp,  Zp.  {Zp},  ip-p)  is  linear.  Thus,  Condition  1  holds. 

2.  Generation  of  the  subshares  sl;j  of  s7  for  each  shareholder  j  in  V'  can  be  performed  with  the  new 
scheme:  (T^,,,  Si,  Si,  ipi)  =  (Tp/,  Zp,  {Zp},  i/j-pi).  Thus,  Condition  2  holds. 

3.  Addition  in  Zp  is  commutative.  Thus,  Condition  3  holds. 

4.  Given  the  old  scheme  (Tp,  Zp,  {Zp},  ip-p),  the  new  scheme  (Tp/,  Zp,  {Zp},  t/j-pi),  and  the  intermedi¬ 
ate  scheme  (Tp/,  Zp,  { Zp } ,  ip-pi)  (from  Condition  2),  the  homomorphisms  'ipt,  iptj,  and  A'  are: 


Msi)  =  hisi 

where  6'=  ]J 

V Hj(sij )  =  bjSij 

=  bJs'j 

We  need  to  find  v/A.  We  have: 

<c/T 

rO 

II 

-A 

(definitions  of  and  tp,  j) 

II 

CA 

<S>. 

jy>> 

(xy  =  yx;  x(yz)  =  ( xy)z 

=  V’j  (My) 

(definition  of  ?/;'■) 

=  ^-te(s 

(define  ^  (%)  =  6* 

Thus,  Condition  4  holds  by  defining: 

i’ji  ( Sij )  =  biSij 


□ 
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Non-verifiable  Secret  Redistribution  protocol  (for  Shamir’s  scheme): 

To  redistribute  shares  from  (Tp,  Zp,  {Zp},  ifo)  to  (Tp/,  Zp,  {Zp},  ^p/),  using  an  authorized  subset  B  £  Tp: 

1.  For  each  i  £  B,  for  each  j  £  V',  compute  subshares  §ij  from  the  polynomial  a,i(x). 

2.  For  each  j  £  V\  transfer  s%3 . 

3.  For  each  j  £  V',  compute  the  new  share  s'  using  the  Lagrange  interpolation  formula: 


s 


/ 

3 


biSij 

i&B 


where 


*=  n 


X 

0  -*) 


bi  are  constant  for  each  i  £  B,  are  independent  of  the  choice  of  cti(x),  and  may  be  precomputed. 


Figure  4:  Protocol  to  redistribute  shares  from  Shamir’s  ( m,n )  threshold  secret  sharing  scheme  [E2 ]  to  an  ( m',n ') 
scheme  [H]. 


Feldman’s  Verifiable  Secret  Sharing  scheme  (for  Shamir’s  scheme): 

To  distribute  a  secret  k  £  Zp  to  shareholders  V  =  {1, . . . ,  n}: 

1.  Compute  the  shares  Sj  for  secret  k  using  apolynomial  a(x)  =  k+a\i+. .  .  +  and  distribute 

the  shares  to  the  corresponding  i  £  V  over  private  channels. 

2.  Send  gk  and  c/"  . . .  <ja"‘-  to  all  i,  £  V  over  the  broadcast  channel. 

3.  For  each  i  £  V,  verify  that: 

If  the  check  passes,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  “abort”  message. 


Figure  5:  Feldman’s  verifiable  secret  sharing  scheme  [EH,  as  applied  to  Shamir’s  (m,  n)  threshold  secret  sharing 
scheme  [E20  by  Herzberg  et  al  [II  blj . 


To  perform  redistribution,  we  treat  each  of  the  shares  generated  by  Shamir's  ( m ,  n)  threshold  scheme  as 
a  secret  to  distribute  using  the  (m1,  n')  scheme.  We  use  the  scheme  (Tp/,  Zp,  { Zp } .  Lp/J  to  compute  a  sl;j 
of  Si  for  each  j  in  V' ,  for  st  of  each  i  in  B\  we  note  that  each  i  can  select  its  own  polynomial  a(x)  (Equation 
(^)).  Then,  each  j  computes  a  new  share  s'-  from  sI?  as  described  in  Figure  |b]  with  t//^: 

Sj  =  ^2  bi§ij  (6) 

i£B 

A  summary  of  the  redistribution  protocol  for  Shamir’s  scheme  is  shown  in  Figure  [I]. 

3.4  Feldman’s  VSS  scheme 

Feldman  presents  a  VSS  scheme  that  can  be  used  by  shareholders  of  a  secret  to  verify  the  validity  of  their 
shares  [EH-  Here,  we  recap  an  application  by  Herzberg  et  al  [II (Slj  of  Feldman’s  scheme  to  Shamir’s  secret 
sharing  scheme  [221].  Feldman’s  scheme  is  shown  in  Figure  0. 

The  application  of  Feldman’s  VSS  scheme  to  Shamir's  scheme  takes  advantage  of  the  homomorphic 
properties  of  exponentiation  and  the  assumption  that  the  computation  of  discrete  logs  in  a  finite  field  is 
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intractable.  As  before,  we  represent  Shamir’s  (m,  n)  threshold  scheme  with  the  tuple  (T-p,  Zp,  {Zp},  i/>p). 
Suppose  g  is  a  generator  for  Zp: 


V6  £  {1, . . .  ,p  —  1}  3a  £  {1, .  •  •  ,p  —  1}  :  ga  =  b  mod  p 


Then,  the  dealer  of  the  secret  k  in  set  Zp,  in  addition  to  sending  shares  st  in  Zp  to  each  i  in  the  set  V  of 
shareholders,  broadcasts  exponentiations  of  k  and  coefficients  a\ . . .  am_i  of  the  polynomial  used  by  the 
dealer  to  generate  the  shares  (gk  and  g'{  . . .  garn~1).  Each  i  may  then  verify  that  their  st  is  a  valid  share  of  k 
from  the  following: 

gSi  =  gk(gaiy  ■■■{garn~1)im~1  (7) 

which  is  the  exponentiation  of  the  polynomial  a(x)  from  Shamir’s  scheme  in  Equation  (Q).  Since  we  have 
assumed  that  the  computation  of  discrete  logs  is  intractable,  we  assume  that  none  of  the  shareholders  can 
learn  k  (or  a\ . . .  om_i)  from  the  broadcast  of  gk. 

4  The  non-interactive  VSR  protocol 

We  present  our  non-interactive  verifiable  secret  redistribution  protocol  for  secrets  distributed  with  Shamir's 
secret  sharing  scheme  UZ2D.  We  represent  the  (m,  n)  and  (m' ,  n!)  threshold  schemes  with  {T-p,  Zp,  { Zp } , 
■ijj-p  }  and  {Tp/,  Zp,  { Zp } ,  Ap/ }  respectively.  We  assume  the  computation  of  discrete  logs  in  a  finite  field 
is  intractable,  and  there  exist  reliable  broadcast  communication  channels  among  all  participants  and  pri¬ 
vate  channels  between  every  pair-  of  participants.  We  also  assume  that  there  are  at  most  n  —  m  faulty  old 
shareholders,  that  m>  f,  and  that  there  arc  n'  non-faulty  new  shareholders. 

The  initial  distribution  of  a  secret  (Initialize  in  Figure  0)  proceeds  as  in  Feldman’s  VSS  scheme  [0]. 
The  dealer  of  secret  k  in  Zp  distributes  shares  st  in  Zp  to  each  shareholder  i  in  the  set  V  of  shareholders, 
using  the  polynomial  a(x)  (step  1  of  Initialize).  The  dealer  also  broadcasts  gk  and  gai  . . .  p0™-1,  which 
each  i  uses  to  verify  the  validity  of  Si  (steps  2  and  3  of  Initialize)  as  in  Equation  (0).  If  the  check  passes, 
i  stores  st  and  gk  (step  4  of  Initialize).  For  trusted  dealers,  we  can  use  Shamir's  scheme  directly  for  the 
initial  distribution. 

Redistribution  of  the  secret  from  old  to  new  shareholders  (Redistribute  in  Figure  0)  proceeds  as  in 
Desmedt  and  Jajodia’s  protocol  [H].  Each  i  in  an  authorized  subset  B  distributes  subshares  sip  in  Zp  of  st 
to  each  shareholder  j  in  the  set  V'  of  shareholders,  using  the  polynomial  (step  1  of  Redistribute); 
a'^x)  for  each  i  may  be  distinct.  Each  j  generates  the  new  share  s'-  (step  4  of  Redistribute).  We  may 
redistribute  the  secret  an  arbitrary  number  of  times  before  we  reconstruct  it. 

For  the  new  shareholders  to  verify  that  their  shares  of  the  secret  are  valid  after  redistribution  (step  1  of 
Redistribute  in  Figure  g),  we  require  that  two  conditions,  shares-valid  and  subshares-valid,  are 
true.  When  all  i  in  B  (B  in  T  p)  redistribute  s,t  to  each  j  in  V\  all  Sj  are  valid  shares  of  k  if: 

SHARES-VALID: 

k  =  XaeB  ^iSi 

SUBSHARES-VALID: 

Vi  £  B,  B'  G  Tp/  :  Si  =  Y2jeB' 

We  use  Feldman’s  VSS  scheme  to  verify  that  SUBSHARES-VALID  is  true  in  our  protocol.  The  distribu¬ 
tion  of  §ij  from  Si  (step  1  of  Redistribute  in  Figure  ||)  is  a  simple  application  of  the  scheme  {T-p/,  Zp, 
{Zp},  t/j-pi}.  Thus,  each  i  in  B  broadcasts  gSi  and  gail  . . .  1 ) 5  which  each  j  uses  to  verify  the  validity 

of  Sij  (step  2  of  Redistribute).  Each  j  still  needs  to  check  whether  all  st  of  i  in  B  were  valid  shares  of  k. 
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Verifiable  Secret  Redistribution  protocol: 

Initialize:  To  distribute  a  secret  k  £  Zp  to  shareholders  V  =  {1, . . . ,  n}: 

1.  Compute  the  shares  Si  for  secret  k  using  a  polynomial  a(x)  =  k+aii+. .  .+am-iim~1,  and  distribute 
the  shares  to  the  corresponding  i  £  V  over  private  channels. 

2.  Send  gk  and  gai  . . .  g a™~1  to  all  i  £  V  over  the  broadcast  channel. 

3.  For  each  i  £  V,  verify  that: 

g^=gk{g^y...{ga—ym-1 

If  the  check  passes,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  “abort”  message. 

4.  If  all  ni  £  V  agree  to  commit,  each  i  stores  s.j  and  gk.  Otherwise,  they  abort  the  protocol. 

Redistribute:  To  redistribute  k  from  shares  held  by  shareholders  i  in  an  authorized  subset  B  £  T (m  n)  to 
shareholders  V'  =  {1, . . . ,  n'}: 

1.  For  each  i  £  £>,  compute  the  subshares  for  share  Sj  using  a  polynomial  a' (x)  =  s,;  +  a\xi  +  . . .  + 
ai(m'- i)*m  anc*  distribute  the  subshares  to  the  corresponding  j  £  V '  over  private  channels. 

2.  For  each  i  £  V ,  send  gk,  gSi,  and  gail  . . .  pa'(™'-1)  to  all  j  £  V'  over  the  broadcast  channel. 

3.  For  each  j  £  V',  verify  that: 

V*  e  B  :  =  gSi(g<')j  . . .  (g<^' -D)fm' -1 


and: 
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k 


ii(^ 


where 


'>■=  n 

x£l3,x^i 


X 

{x-i) 


If  both  checks  pass,  j  broadcasts  a  “commit”  message.  Otherwise,  j  broadcasts  an  “abort”  message. 

4.  If  all  n'  j  £  V'  agree  to  commit,  each  j  computes  s' : 


sj  ~ 

ieB 

and  stores  s'  and  gk.  Otherwise,  they  abort  the  protocol. 


Figure  6:  Verifiable  secret  redistribution  protocol  for  the  redistribution  of  shares  from  Shamir’s  (to,  n)  threshold 
secret  sharing  scheme  to  an  (to',  n')  scheme. 


Unfortunately,  we  cannot  use  Feldman’s  VSS  scheme  to  check  if  SHARES-VALID  is  true.  For  example, 
suppose  each  i  in  V  used  the  scheme  to  verify  the  validity  of  s*  of  k.  Each  i  in  V  could  store  gk,  gSi,  and 
ga  1  . . .  ga"’- 1 ,  and  broadcast  them  to  each  j  in  V  during  redistribution.  Each  j  would  use  Equation  (0)  to 
verify  the  validity  of  each  su  and  generate  s'- .  However,  since  each  j  generates  s'  by  interpolation  (step  4 
of  Redistribute  in  Figure  ^|)  instead  of  using  a  polynomial  a'(x),  it  has  no  coefficients  a\  . . .  to 
broadcast  during  a  subsequent  redistribution  to  another  set  V"  of  shareholders.  Other  VSS  schemes  (such 
as  Pederson’s  scheme  [TTR[|)  have  similar  difficulties. 

We  can  verify  that  SHARES-VALID  is  true  by  taking  advantage  of  the  homomorphic  properties  of  expo¬ 
nentiation.  If  we  exponentiate  both  sides  of  Equation  (0),  we  obtain  the  SHARES-VALID  verification  check: 

gk  =  (8) 

i&B 

Thus,  if  each  j  in  V'  receives  gk  and  gSi  from  all  i  in  B,  they  can  verify  that  all  Si  were  valid  shares  of  k. 
Each  j  accomplishes  verification  without  learning  sp  given  our  assumption  about  discrete  logs. 

4.1  Assumptions  about  faulty  shareholders 

When  we  redistribute  the  secret  k  in  Zp  from  the  scheme  {Up,  Zp,  { Zp } ,  Up}  to  the  scheme  {Up/,  Zp, 
{Zp},  ip-pi }  with  our  VSR  protocol,  we  assume  at  least  m  of  the  n  shareholders  in  V  and  all  n'  of  the 
shareholders  in  V'  are  non-faulty,  and  up  to  n  —  m  of  the  remaining  shareholders  in  V  may  be  faulty.  We 
denote  faulty  shareholders,  and  the  values  they  distribute,  with  over-bars.  A  non-faulty  shareholder  i  in  V 
distributes  valid  subshares  Sij  of  its  share  st  to  all  shareholders  j  in  V  and  broadcasts  gk  corresponding  to 
k.  A  faulty  shareholder  i  in  V  may  distribute  invalid  subshares  sj  -  or  broadcast  gk  not  corresponding  to  k. 

We  also  assume  we  do  not  know  which  m  of  the  n  shareholders  in  V  arc  non-faulty.  Suppose  we  include 
a  faulty  shareholder  i  in  our  selection  of  B  in  Tp  to  participate  in  redistribution  (Redistribute  in  Figure 
|h|).  However,  if  i  distributes  s--,  one  of  the  j  will  detect  the  presence  of  i  since  one  of  the  verification 
checks  in  Equations  (@)  or  (|sj)  will  fail.  Alternatively,  if  i  broadcasts  gk,  all  j  will  detect  the  discrepancy 
when  non-faulty  old  shareholders  broadcast  gk.  Thus,  i  must  participate  in  the  protocol  without  fault  or 
risk  detection.  If  we  detect  the  presence  of  i,  we  must  restart  redistribution  with  another  set  of  rri  old 
shareholders.  Unfortunately,  we  cannot  identify  i  with  our  protocol. 

The  assumption  that  we  do  not  know  which  m  shareholders  in  V  are  non-faulty  bounds  the  relative 
values  of  m  and  n.  We  assume  we  can  detect  discrepancies  between  gk  and  gk  broadcast  by  faulty  and 
non-faulty  shareholders  in  V  respectively.  However,  if  we  were  to  select  a  group  of  m  faulty  shareholders 
i  inadvertently,  then  we  would  be  unable  to  detect  discrepancies  if  all  i  broadcast  gk.  We  therefore  require 
that  m  >  ^  so  each  authorized  subset  B  in  Fp  has  at  least  one  non-faulty  shareholder;  if  m  <  n  —  m 
faulty  shareholders  in  V  could  conspire  to  reconstruct  k. 

The  requirement  that  all  n'  shareholders  in  V  are  non-faulty  is  reasonable  if  we  view  the  purpose  of 
our  VSR  protocol  as  one  of  detecting  faulty  behavior  by  shareholders  in  V.  This  is  analogous  to  one  of  the 
assumptions  underlying  Feldman’s  VSS  scheme,  in  which  the  shareholders  are  implicitly  trusted  to  store 
valid  shares  (and  reject  invalid  shares)  of  a  secret. 

4.2  Correctness 

We  prove  that  if  the  SHARES-VALID  and  SUBSHARES-VALID  conditions  are  true  after  the  share  redistribu¬ 
tion,  then  the  new  shareholders  have  valid  shares  of  the  original  secret.  We  also  show  that  Equations  (|7j)  and 
(§|)  check  that  the  two  conditions  are  true. 
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Lemma  1  If  the  check  in  Equation  (|5|)  is  true,  then  SHARES-VALID  is  true. 

PROOF:  Assume  the  check  in  Equation  (g)  is  true.  It  then  follows  that  SHARES-VALID  is  true  from  Equation 
(0)  and  the  homomorphic  properties  of  exponentiation.  □ 

Lemma  2  If  the  check  in  Equation  (0)  is  true,  then  SUBSHARES-VALID  is  true. 

PROOF:  Proved  by  Feldman  [BO-  □ 

Theorem  1  (VSR  theorem)  For  Shamir’s  (m,  n)  threshold  secret  sharing  scheme  {Ep,  Zp,  {Zp},  ifj-p}  and 
the  (rnf ,  n')  scheme  {E-p/ ,  Zp,  {Zp},  ip-p>},  for  all  secrets  k  £  Zp,  and  for  all  authorized  subsets  B  S  Tp,  if 
SHARES-VALID  and  SUBSHARES-VALID  are  true  after  the  execution  of  the  REDISTRIBUTION  step  (Figure 
of  the  VSR  protocol,  then  all  shareholders  j  in  all  authorized  subsets  B'  E  Ep/  hold  valid  shares  of  k. 

Proof:  Assume  both  shares-valid  and  subshares-valid  are  true.  Then: 

k  =  22 biSi  (SHARES-VALID) 


ieB 

/  \ 

=  H  h  Y.  h'isB 

(SUBSHARES-VALID) 

1 

i£B  \  ieB'  ) 

=  22^2  WjSij 

(x(y  +  z)  =  xy  +  xz ) 

ieB  jeB' 

=  2222b2i§B 

ll 

Sr 

ieB  jeB' 

=  22  22  bJb^B 

(x  +  y  =  y  +  x) 

jeB'  ieB 

=  22  I  b'j  bjSjj  j  (xy  +  xz  =  x{y  +  z)) 

jeB'  V  ieB  J 

=  22  22  (Equation  (0) 

j<eB' 


5  Summary  and  future  work 

We  have  presented  a  protocol  for  the  verifiable  redistribution  of  secrets  distributed  with  Shamir's  secret 
sharing  scheme  DZ2].  We  have  proven  that  new  shareholders  have  valid  shares  after  redistribution  if  the 
SHARES-VALID  and  SUBSHARES-VALID  conditions  are  true,  and  have  given  the  corresponding  verifica¬ 
tion  checks.  We  have  shown  that  our  protocol  guards  against  faulty  behavior  by  up  to  n  —  m  of  the  old 
shareholders  provided  that  m  >  In  our  presentation,  we  have  assumed  that  the  computation  of  discrete 
logs  in  a  finite  field  is  intractable,  and  that  there  exist  reliable  broadcast  communication  channels  among  all 
participants  and  private  channels  between  every  pair  of  participants. 

As  part  of  our  future  work,  we  will  investigate  ways  to  identify  faulty  old  shareholders  during  redistri¬ 
bution,  and  to  relax  the  bounds  on  the  number  of  non-faulty  new  shareholders.  We  also  plan  to  implement 
our  protocol  to  evaluate  its  performance  costs  over  non- verifiable  redistribution  protocols. 
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